The NHS has become a proverbial football in the EU referendum debate; one side claiming a Brexit would save the NHS millions, the other that it would do immense damage to a system already under huge financial strain.
But less attention has been paid to the implications of Brexit on storage of NHS data, at least some of which sits in data storage centres scattered throughout Europe.
As of today that NHS data stored offshore, be it purely financial or deeply personal, is covered by European data regulations, including the soon-to-be-replaced Safe Harbour provisions.
If the UK remained in the EU that NHS data would also be subject to the incoming General Data Protection Regulation, which will impose stricter controls and penalties for data breaches.
But if the UK leaves the European Union, what will happen to this NHS data, much of it locked into long term contracts and held in data centres on the continent, without those regulations is much fuzzier.
Digital Health News understands there is growing concern among some health IT professionals that NHS data will need to be repatriated, and talk that suppliers are already gearing up to charge a premium for UK-based storage services.
One NHS IT director said there had been very little guidance about what would happen to NHS data being stored off-shore and concern about the cost of moving back to the UK.
“It’s going to cost three times as much to host data in the UK.”
Steve Bromham is a co-founder of the cloud computing and cyber security company Save9, which has regularly worked with NHS trusts on data storage solutions.
He said plenty of trusts had data, including patient identifiable data, stored in European data centre, often because it was cheaper. Some, particularly the small organisations, were even unaware their IT suppliers were shifting their data off-shore.
However, concerns about data protection were already pushing data storage back to the UK, with some cloud storage companies building up their UK-based data storage capacity.
A Brexit would accelerate this process and likely lead to law change requiring data to be retained in UK, or possibly even England, he said.
“You can see the writing on the wall,” he said.
“If people have locked themselves into lengthy contract they could take quite a financial hit.”
With a possible exit looming, Digital Health News understands questions have also been raised about the current rules and just what data, if any, NHS organisations should be keeping the country.
Currently, The Data Protection Act requires UK data to be stored within the European Economic Area, but provides an exception when there is “adequate protection”.
NHS England’s data protection policy further states that NHS employees must “not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian”.
With the referendum looming on Thursday, the government, including staff that work within NHS IT, have been under purdah, preventing them from discussing anything that might influence the vote, including the impact on NHS data.
Even getting a clear answer on the current rules has been difficult. The Department of Health referred questions to the HSCIC, which in turn referred questions to the Information Commissioner’s Office.
An ICO spokeswoman said there no separate legal requirements for NHS organisation handling data, referring back to the legal requirement to retain data in the European Economic Area.
However, whatever the result of the referendum, the Data Protection Act would “will remain in force for the time being”, she said.
In practise, even if the country does votes to leave the EU on Friday, there should be no immediate impact on NHS data off-shoring.
But as with many questions swirling around the EU Referendum, the longer term implications are both shrouded and potentially dramatic.